A Micro Focus customer wanted to introduce the Work from Home option for its employees. To resolve system-related issues that might occur on these devices, the customer required remote control access. Remote access can be achieved by the use of JoinProxy servers.
Micro Focus had successfully tested a scenario in which 5000 devices were connected to a JoinProxy server. However, a scenario in which more than 5000 devices are connected to the JoinProxy server was not tested.
JoinProxy Satellite Servers require a public IP address. The customer had more than 5000 devices and they had a limitation on the number of IP addresses that could be exposed in the public network. Hence, they requested Micro Focus for a solution.
For this scenario, multiple JoinProxy Satellite Servers are required, with each server listening on a different port. These servers can be within the office network. Apart from these servers, a device (router) with a static IP and having port-forwarding enabled is required in the public network. This device will redirect connection requests made to a certain port to a particular Join Proxy server.
For example, if there are two Join Proxy servers, Join Proxy1 and Join Proxy2, Join Proxy1 should listen on port 1 and Join Proxy2 should listen on port 2. Port forwarding should be enabled on the router device such that all requests received by the router on Port1 should be redirected to Join Proxy1 and all requests received by the router on Port 2 should be redirected to Join Proxy2.
- Multiple JoinProxy servers (based on tests, one JoinProxy Satellite Server is required for every 5000 managed device connections)
- One device (can be a router or any machine where port forwarding can be setup.). This device should be in the public network and it should have a static IP.
The test setup included the following:
- A managed device in a private network (Example: Home)
- A Primary Server and a JoinProxy Satellite Server in another private network. (Example: Office)
The Primary and JoinProxy servers could communicate with each other. However, the Primary and Join Proxy servers could not communicate with the managed device.
Between the two networks a router with two network interface cards (NICs) was introduced.
The managed device and the Primary and Join Proxy Servers could connect to this router.
Configuration: The managed devices should be divided in such a way that you have one JoinProxy for every 5000 managed devices. For example, if there were 10000 managed devices, the devices should be divided into two sets of 5000 each. The Closest Server Rules should be configured in such a way that the first 5000 devices connects to the Join Proxy1 that is listening on Port 1, and the next 5000 devices connects to Join Proxy2 that is listening on Port 2.
In each of the managed devices, the etc/hosts file should be edited so that the Hostname of the JoinProxy resolves to the IP of the router. That is, JoinProxy1 and JoinProxy2 resolves to the IP of the router.
How it Works
When the agent starts, it tries to connect to the JoinProxy server using the JoinProxy’s hostname. Since the hostname resolves to the router’s IP, the agent connects to the router. The router is configured in such a way that any request received on port1(Example :7019) will be forwarded to port1(Example :7019) of the JoinProxy server. So the request reaches the JoinProxy and the connection is established between the managed device and the JoinProxy server.
- The JoinProxy servers should be configured to listen on different ports. For example, if there are two JoinProxy servers, Join Proxy1 should listen on Port 1 and Join Proxy2 should listen on Port 2.
- The etc/hosts file should be updated on the managed devices to ensure that all the hostnames of the JoinProxy servers resolve to the same router’s IP. For example, if the router’s IP is 10.1.1.1, and JoinProxy1, JoinProxy2 are hostnames then JoinProxy1 and JoinProxy2 should resolve to 10.1.1.1 in the etc/hosts file.
- With this setup, you can perform remote management with Password authentication. To perform remote management with rights-based authentication, the Primary Server should be accessible from the managed devices. Hence, the Primary Servers and the managed devices have to be in the public network.
- You need to ensure that the devices in the public network are properly secured.